Set up VMware AirWatch Secure Email Gateway (SEG) Classic in Microsoft Exchange 2016 Environment

This post was modified on 04/26/19 to include clarification on the credential expiration issue with the local SEGadmin account.

While support for Secure Email Gateway (SEG) Classic is going away by early May 2019, it’s still worth documenting for those who may not be ready to set up or migrate to SEG V2 just yet.

UAT2-17.png

Steps should be relatively the same whether it be Exchange 2010, 2013 or 2016. The same goes with either console version 9.x or 18.xx and above. My screenshots were based on console version 9.4 and SEG version 9.5.

My sequence with this setup is a little different from what AirWatch recommends per their online documentation. I also confirmed with VMware support on this.

  1. Pre-requisites for Implementation of SEG (Classic Platform)
  2. Enable Basic Authentication – Moved up from step 3
  3. Configure the Classic Platform  – Moved down from step 2
  4. Install the SEG (Classic Platform)
  5. Configure the Classic Platform with the SEG Setup Wizard

Pre-requisites for Implementation of SEG (Classic Platform)

Follow the relevant sections (i.e. hardware, software, network, certificate, etc.) within the link. For instance, below we enabled SOAP API.

SEG2.png

You may also enable REST API ahead of SEG V2 migration.

SEG1.png

I suggest creating both the “SOAP API General” role and the SEG Admin Account required during SEG configuration now before proceeding further.

SEG17.png

In here, you must grant Edit permission (confirmed with VMware support.)

SEG18.png

Create an SEG Admin Account. It does not need access to the console other than making API call. Like any basic account, the credential expires after 30 days starting with console version 9.4 which applies to the SEG Admin account as well. Per the link below, however, this would be OK until you are ready to upgrade your SEG at which point a new credential might need to be set.

API calls blocked if Basic Admin account authentication is past the password expiration period

“In environments in which basic authentication was used during the initial installation of the SEG (V2 or Classic) updated credentials will only need to be used when upgrading or reinstalling the SEG. After the setup procedure, SEG uses Certificate/CMS for authentication and, therefore, basic credentials are only required to establish initial communication.

You may also work with VMware support to extend the expiration date for ALL basic accounts from the default 30 days to 9999 days.

SEG19.png

SEG20.png

SEG21.png

Enable Basic Authentication

This step is optional on the SEG server. Otherwise, anonymous authentication will be used.

SEG16.png

Configure the Classic Platform

SEG4.png
For Secure Email Gateway URL, enter https://external-SEG-URL and it will append /segconsole/management.ashx as well.
For Use Basic Authentication, selecting ENABLE will require additional info configured earlier.
SEG5.png
You may skip the below if it’s not configured just yet.
SEG6.png
SEG7.png
SEG8.png
SEG9.png
Uncheck Use Default Settings to make changes accordingly.
SEG10.png
SEG11.png
SEG12.png

Install the SEG (Classic Platform)

Right-click on the installer and run as administrator to begin installation.
SEGa1.pngSEGa2.png
SEGa3.pngSEGa4SEGa5SEGa6.png
SEGa7.pngSEGa8SEGa9

Configure the Classic Platform with the SEG Setup Wizard

SEGa23.png

API Hostname: https://asXXX.awmdm.com or your internal API URL.

SEGa24.png
SEGa11.pngSEGa12.pngSEGa13SEGa15.png
Enter email address as username@mycompany.com and click Verify.
SEGa14SEGa16.pngSEGa21.png
SEGa18.png
SEGa20.png
You may change the Log Level here as you see fit to help expedite troubleshooting future issues.
SEGa22.png
For additional SEG server, AirWatch implementation engineer recommends setting it up manually instead of exporting the configuration file from the console first and then importing it back to the new SEG server.

Validation

To validate connectivity to Microsoft Exchange ActiveSync (EAS) from the SEG server, open a web browser and go to https://your-SEG-URL.com/microsoft-server-activesync. If the connection is successful, you should be prompted for your username and password.

UAT2-16.png

As always, stay mobile!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.